The simplest way to carry around the documents you want to use with Tails
and make sure that they haven't been accessed or modified is to store them
in an encrypted volume: a dedicated partition on a USB stick or external
hard-disk.

Tails comes with utilities for LUKS, a standard for disk-encryption under
Linux.

GNOME Disks allows you to create
encrypted volumes.

The GNOME desktop allows you to open encrypted volumes.

To store encrypted files on a Tails USB stick, it is recommended to create a
persistent volume instead.

Name: you can set a name for the
partition. This name remains invisible until the partition is open
but can help you to identify it during use.

Passphrase: type a passphrase for the
encrypted partition and repeat it to confirm.

Then click Create.

If an error occurs while creating the new partition, try to unplug the
device, restart GNOME Disks,
and follow all steps again from the beginning.

Creating the partition takes from a few seconds to a few minutes. After
that, the new encrypted partition appears in the volumes on the device:

If you want to create another partition in the free space on the
device, click on the free space and then click on the button again.

Use the new partition

You can open this new partition from the sidebar of the file browser with
the name you gave it.

After opening the partition with the file browser, you can also access it
from the Places menu.

Open an existing encrypted partition

When plugging in a device containing an encrypted partition, Tails does not
open the partition automatically but you can do so from the file browser.

Choose
Places ▸
Computer
to open the file browser.

Click on the encrypted partition that you want to open in the sidebar.

Enter the passphrase of the partition in the password prompt and click
Unlock.

If you choose the option Remember Password and have
the GNOME Keyring
persistence feature activated, the password is stored in the persistent storage and remembered across multiple
working sessions.

After opening the partition with the file browser, you can also access it
from the Places menu.

To close the partition after you finished using it, click on the button next to the partition in the sidebar of the
file browser.

Storing sensitive documents

Such encrypted volumes are not hidden. An attacker in possession of the
device can know that there is an encrypted volume on it. Take into
consideration that you can be forced or tricked to give out its passphrase.

Opening encrypted volumes from other operating systems

It is possible to open such encrypted volumes from other operating
systems. But, doing so might compromise the security provided by Tails.

For example, image thumbnails might be created and saved by the other
operating system. Or, the contents of files might be indexed by the other
operating system.

Change the passphrase of an existing encrypted partition

To open GNOME Disks choose
Applications ▸
Utilities ▸
Disks.

Plug in the external storage device containing the encrypted partition that you
want to change the passphrase for.

The device appears in the list of storage devices. Click on it:

Check that the description of the device on the right side of the screen
corresponds to your device: its brand, its size, etc.